cancel
Showing results for 
Search instead for 
Did you mean: 

Feature suggestion (Linux): allow connecting to server with broken algorithm certificates

New Member

Feature suggestion (Linux): allow connecting to server with broken algorithm certificates

I'm trying to use Pulse Secure Client for Linux installed with deb-package version 9.0R2-819.

 

I cannot use the PulseClient_x86_64.sh because the VPN server has MFA enabled.

 

When I try to connect to the server with pulseUi, I get the following error message:

 

Unable to load page

Problem occurred while loading the URL https://<VPN url here>

Unacceptable TLS certificate

 

The server certificate CA is trusted on my machine and connecting to the endpoint with, e.g., Chrome does not show any certificate errors.

 

However, I discovered that running gnutls-cli shows the following error:

 

- Status: The certificate is NOT trusted. The certificate chain uses insecure algorithm.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.

 

Running gnutls-cli again with ​--verify-allow-broken connects successfully.

 

I guess using the same flag from pulseUi would allow me to connect to the endpoint, but there is no such flag present at the moment. Since the VPN server works seamlessly with Windows and OS X, I'm not getting any support from my organization to fix the certificates.

3 REPLIES 3
Moderator
Moderator

Re: Feature suggestion (Linux): allow connecting to server with broken algorithm certificates

PulseUI will show untrusted SSL certificate error, if the identity certificate presented by the VPN server during the SSL handshake is not trusted by the local machine or the certificate chain is incomplete.

If the certificate trust is ok, when connecting from browsers, then it seems that the certificate chain is incomplete. Ideally, browsers will take advantage of AIA attribute value in the intermediate CA (who signed the VPN device certificate) to identify the root CA (who signed the Intermediate CA cert) and validate the trust chain.

Whereas, Pulse Linux Client will always look for certificate chain provided by the VPN Server. Eventhough, we have added both Intermediate & Root CA on the local trust store.

Confirm the trust chain status by running a SSL scan against your VPN server URL provided by many CAs (available on the internet - Google it Smiley Wink )

If the report shows that the VPN server is not providing the intermediate certificate during the handshake, then that's the problem. We have to request the VPN admin to add the missing CA on the intermediate CA trust store on the VPN configuration, so that, the Linux users can connect.
Moderator
Moderator

Re: Feature suggestion (Linux): allow connecting to server with broken algorithm certificates

It's the "Dynamic Trust" feature which is missing for the Linux Client and available for Windows and Mac clients.
Moderator

Re: Feature suggestion (Linux): allow connecting to server with broken algorithm certificates

Do you know if the system is configured to have TLS 1.2, FIPS, or NDcPP enabled (these do not work on centOS)?
which version of Linux are you using?
does the UI-based connection succeed?